Unable to Access EC2 Instance in AWS Environment via Intermediate Account with VPC Peering

Question

Description:

I am encountering difficulties accessing the Nexus server, which is hosted in the "prod" AWS account behind an internal ALB, from a Jenkins agent located in the "staging" AWS account. Both the "prod" and "staging" accounts have established VPC peering connections with the "admin" AWS account, acting as an intermediary.

Setup Details:

• Three AWS accounts: "admin," "prod," and "staging."
• VPC peering was established between the "prod" and "admin" accounts and between the "staging" and "admin" accounts.
• The Nexus server resides in a private subnet within the "prod" account and is accessible via an internal ALB.
• The Jenkins agent is situated in the "staging" account and requires access to the Nexus server, with a NAT gateway facilitating outbound internet access.

Problem:

When attempting to access the Nexus server (nexus.company.com) from the Jenkins agent to download artifacts, or even through the traceroute command, the packets fail to reach the destination. No intermediate hops respond along the path.

Actions Taken:

• Confirmed successful establishment of VPC peering connections between each pair of accounts.
• Verified that the Jenkins agent in the "staging" account can communicate with resources within the "admin" account.
• Ensured the Nexus server was operational and responding to requests from other resources in the "admin" and "prod" accounts.

I seek assistance identifying and resolving the issue preventing communication between the Jenkins agent and the Nexus server. Additionally, any insights into the proper configuration of VPC peering connections and routing tables would be highly appreciated.

Answer 1

As @erik258 mentioned, VPC's do not support transitive peering. Please note that below workarounds are provided based on existing setup what you have i.e prod <--peer--> admin <--peer--> staging

Possible workarounds(assuming that you can't peer prod and staging for some reason):

1. Simplest option but not secure would be through IGW, since you already have NAT-GW in staging, deploy an internet facing ALB/NLB in prod and target your nexus servers/InternalALB respectively and adjust NACL/SG's
2. Using AWS PrivateLink: (I tried this and it does work)

• Setup Endpoint Service in prod VPC using internal NLB with target as your existing internal ALB.
• Use service created in above step for creating Interface Endpoint in admin VPC.
• Now use IP-Address of Interface Endpoint created in above step to connect to nexus from Staging VPC Jenkins
• Make sure you have necessary inbound and outbound rules on NACL/SG's and since we are using Private Link for this no need to worry on route tables
• Instead of IP address if you want to connect using interface endpoint DNS make sure DNS settings on VPC peering connection on admin <--> staging is enabled

3. Using VPC Lattice - I haven't tried this option but more or less it uses the concept of AWS PrivateLink so you can try this too and let us know the outcomes.

Hope this answers, thanks!!